` element and hence breaks if you try to wrap that in a ``.", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 726094754, "label": "Add horizontal scrollbar to tables"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/issues/1036#issuecomment-713226726", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/1036", "id": 713226726, "node_id": "MDEyOklzc3VlQ29tbWVudDcxMzIyNjcyNg==", "user": {"value": 9599, "label": "simonw"}, "created_at": "2020-10-21T01:04:25Z", "updated_at": "2020-10-21T01:04:25Z", "author_association": "OWNER", "body": "Extra security idea: a `blob_download_host` setting which can be used to indicate a host that should be used for downloads - for example `datasettestatic.com`. If this setting is populated then binary downloads are served from paths on that host only, and no other Datasette URLs from that host will be served.", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 725996507, "label": "Make it possible to download BLOB data from the Datasette UI"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/issues/262#issuecomment-713208667", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/262", "id": 713208667, "node_id": "MDEyOklzc3VlQ29tbWVudDcxMzIwODY2Nw==", "user": {"value": 9599, "label": "simonw"}, "created_at": "2020-10-21T00:03:18Z", "updated_at": "2020-10-21T00:03:18Z", "author_association": "OWNER", "body": "I think I should prioritize the facets component of this, since that could have significant performance wins while also supporting `datasette-graphql`.", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 323658641, "label": "Add ?_extra= mechanism for requesting extra properties in JSON"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/issues/262#issuecomment-713200782", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/262", "id": 713200782, "node_id": "MDEyOklzc3VlQ29tbWVudDcxMzIwMDc4Mg==", "user": {"value": 9599, "label": "simonw"}, "created_at": "2020-10-20T23:41:30Z", "updated_at": "2020-10-20T23:41:30Z", "author_association": "OWNER", "body": "This is now blocking https://github.com/simonw/datasette-graphql/issues/61 because that issue needs a way to turn off suggested facets when retrieving the results of a table query.", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 323658641, "label": "Add ?_extra= mechanism for requesting extra properties in JSON"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/issues/1034#issuecomment-713191819", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/1034", "id": 713191819, "node_id": "MDEyOklzc3VlQ29tbWVudDcxMzE5MTgxOQ==", "user": {"value": 9599, "label": "simonw"}, "created_at": "2020-10-20T23:12:58Z", "updated_at": "2020-10-20T23:12:58Z", "author_association": "OWNER", "body": "Enzo has a great solution here: https://twitter.com/enzo_mdd/status/1318685442976436226\r\n\r\n> Or maybe an option for a url. This keeps the CSV small but allows scripts to download binary data as needed.\r\n\r\nIn #1036 I'm planning on adding a way for users to access BLOB data. I can include that URL in the CSV output.", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 725184645, "label": "Better way of representing binary data in .csv output"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/issues/1036#issuecomment-713186189", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/1036", "id": 713186189, "node_id": "MDEyOklzc3VlQ29tbWVudDcxMzE4NjE4OQ==", "user": {"value": 9599, "label": "simonw"}, "created_at": "2020-10-20T22:56:33Z", "updated_at": "2020-10-20T22:56:33Z", "author_association": "OWNER", "body": "I think this plus the binary-CSV stuff in #1034 will justify a dedicated section of the documentation to talk about how Datasette handles binary BLOB columns.", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 725996507, "label": "Make it possible to download BLOB data from the Datasette UI"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/issues/1036#issuecomment-713185871", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/1036", "id": 713185871, "node_id": "MDEyOklzc3VlQ29tbWVudDcxMzE4NTg3MQ==", "user": {"value": 9599, "label": "simonw"}, "created_at": "2020-10-20T22:55:36Z", "updated_at": "2020-10-20T22:55:36Z", "author_association": "OWNER", "body": "I can also use a `Content-Disposition` header to force a download. I'm reasonably confident that the combination of `Content-Disposition` and `X-Content-Type-Options: nosniff` and `application/binary` will let me allow users to download the contents of arbitrary BLOB columns without any XSS risk.", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 725996507, "label": "Make it possible to download BLOB data from the Datasette UI"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/issues/1036#issuecomment-713185173", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/1036", "id": 713185173, "node_id": "MDEyOklzc3VlQ29tbWVudDcxMzE4NTE3Mw==", "user": {"value": 9599, "label": "simonw"}, "created_at": "2020-10-20T22:53:41Z", "updated_at": "2020-10-20T22:53:41Z", "author_association": "OWNER", "body": "https://security.stackexchange.com/questions/12896/does-x-content-type-options-really-prevent-content-sniffing-attacks says:\r\n\r\n> In Tangled Web Michal Zalewski says:\r\n> \r\n> > Refrain from using Content-Type: application/octet-stream and use application/binary instead, especially for unknown document types. Refrain from returning Content-Type: text/plain.\r\n> > \r\n> > For example, any code-hosting platform must exercise caution when returning executables or source archives as application/octet-stream, because there is a risk they may be misinterpreted as HTML and displayed inline.", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 725996507, "label": "Make it possible to download BLOB data from the Datasette UI"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/issues/1036#issuecomment-713184374", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/1036", "id": 713184374, "node_id": "MDEyOklzc3VlQ29tbWVudDcxMzE4NDM3NA==", "user": {"value": 9599, "label": "simonw"}, "created_at": "2020-10-20T22:51:22Z", "updated_at": "2020-10-20T22:51:22Z", "author_association": "OWNER", "body": "From https://hackerone.com/reports/126197:\r\n\r\n> archive.uber.com mirrors pypi. When downloading `.tar.gz` files from archive.uber.com, the MIME type is `application/octet-stream`. Injecting `` into the start of the `.tar.gz` causes an XSS in Internet Explorer due to MIME sniffing.\r\n\r\nSo you do have to be careful not to open accidental XSS holes with `application/octet-stream` thanks to (presumably older) versions of IE.\r\n\r\nFrom that thread it looks like the solution is to add a `X-Content-Type-Options: nosniff` header.", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 725996507, "label": "Make it possible to download BLOB data from the Datasette UI"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/issues/1036#issuecomment-713183306", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/1036", "id": 713183306, "node_id": "MDEyOklzc3VlQ29tbWVudDcxMzE4MzMwNg==", "user": {"value": 9599, "label": "simonw"}, "created_at": "2020-10-20T22:48:10Z", "updated_at": "2020-10-20T22:48:10Z", "author_association": "OWNER", "body": "Twitter thread: https://twitter.com/dancow/status/1318681053347840005", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 725996507, "label": "Make it possible to download BLOB data from the Datasette UI"}, "performed_via_github_app": null}